UNDERSTANDING ISO 27001 - Ai4

UNDERSTANDING ISO 27001

YOUR ROADMAP TO COMPLIANCE


TABLE OF CONTENTS

WHAT IS ISO 27001? 4

WHY ISO 27001? 5

ISO 27001 VERSUS ISO 27002 5

CONTROLS CROSSWALK 7

ENTERPRISE APPLICABILITY 7

ISO 27001:2013 FRAMEWORK 7

MANDATORY CONTROLS (3.0-10.0) 7

TERMS & DEFINITIONS (3.0) 7

CONTEXT OF THE ORGANIZATION (4.0) 8

LEADERSHIP (5.0) 8

PLANNING (6.0) 8

SUPPORT (7.0) 9

OPERATION (8.0) 9

PERFORMANCE EVALUATION (9.0) 9

IMPROVEMENT REQUIREMENTS (10.0) 10

ANNEX A CONTROLS 10

HOW IS ISO 27001 IMPLEMENTED? 11

THE PDCA MODEL 11


HOW IS ISO 27001 CERTIFICATE OBTAINED? 12

CERTIFICATION MODEL 13

CONFORMANCE MAINTENANCE 13

PROCESS VERSUS PRODUCT 14

CONCLUSION 15


WHAT IS ISO 27001?

ISO 27001 is the only internationally recognized framework of controls codifying the audit

requirements for an Information Security Management System (ISMS).

This Standard was the first of the ISO270## series and first published by the International

Organization for Standardization, or ISO and the International Electrotechnical Commission

(IEC). Its purpose is to develop, maintain and promote standards in the fields of Information

Technology (IT) and Information and Communications Technology (ICT). The first issuance of

the standard was published in November 2005, and revised by ISO/IEC periodically.

The ISO 27001 Standard’s controls are high-level, broad in scope, and conceptual in nature.

This approach allows it to be applied across multiple types of enterprises, organizations and

applications. ISO 27001 is the only information security “standard” devoted to information

security management in a field generally governed by specific operational audit criteria.

While its genesis was information technology, ISO 27001 covers all information security and

includes clauses and controls which drive consideration of physical security, human resources,

awareness training, suppliers/vendors and more.

As a standard that is primarily conceptual, ISO 27001 is not:

• A technical standard

• Product or technology driven

• An equipment evaluation methodology

ISO 27001 is, however:

• A comprehensive baseline of information security management controls that all

information security programs shall address in some manner. This, in essence, makes

ISO 27001 internationally sanctioned “due diligence” that works well with other

frameworks like SOC2, NIST, HIPAA, Six Sigma’s DMAIC method, and the family of

other ISO Standards;

• A driver of an annual assessment of information security risks; and

• A driver of information security governance, in which leadership of all levels of the

areas in scope within the organization, participate. This ensures an understanding and

decision-making participation from leadership in the overall reduction of information

security risks.


WHY ISO 27001?

The information security field has traditionally been based on best practices and guidelines. While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations; this is not always consistent or harmonious. Furthermore, without the risk justification required by ISO 27001, “best practice” is in reality “best guess”. This makes a security program devoid of the underlying analysis that makes control implementation justifiable, defensible and auditable. ISO 27001 offers the following benefits:

• The only internationally recognized management system that can enhance information security interoperability and trust with trading partners;

• A yardstick to evaluate information security program effectiveness;

• A vehicle to certify “due diligence”;

• An umbrella under which multiple data protection regulatory compliances may be managed;

• A repeatable risk-based approach to security and information assets;

• Understand, align and operationalize business objectives in regards to information security; and

• Certification by an impartial third-party gives assurance in the marketplace that those organizations that are certified, have met the stated criteria within the certificate’s area of scope and the statement of applicability to the controls within the standard.

Reasons to pursue an ISO 27001 based Information Security Program also vary:

• For some industries, an ISO 27001 certified operational area may become a de-facto requirement;

• For organizations subject to government regulation, ISO 27001 may increase efficiency and eliminate redundancy in complying with multiple information protection regulations through centralized management;

• ISO 27001 certification creates and improves processes that make it more efficient to make money;

• For data-centric organizations, customer perception of an ISO 27001 certified operational area may offer a marketing advantage; and

• An ISO 27001 certified operational area provides a high degree of defensibility both legally and strategically.

ISO 27001 VERSUS ISO 27002

Both standards serve distinct purposes, hence it is important to understand the differences

between ISO 27001 and ISO 27002. The biggest difference is that organizations cannot certify

to ISO 27002 as it does not contain the control clauses for formation of an Information Security

Management System (ISMS). ISO 27002 can serve as an implementation guide for the Annex


A Controls of ISO 27001. However, ISO 27002 does not use the control language that mandates

conformity.

The ISO 27002 International Standard is designed for organizations to use as a reference for

selecting controls within the process of implementing an Information Security Management

System (ISMS) based on ISO/IEC 27001 or as a guidance document for organizations

implementing commonly accepted information security controls. This standard is also

intended for use in developing industry- and organization-specific information security

management guidelines, taking into consideration their specific information security risk

environment(s).

Organizations of all types and sizes (including public and private sector, commercial and non-

profits, handle information, tangible and intangible, in many formats. The ISO 27001 and/or

ISO 27002 can help define controls that assist in risk mitigation to protect the organization’s

information assets.

ISO 27001 ISO 27002

The certifiable standard which has

mandatory clauses and a framework of

controls that drives the management and

mitigation of information security risks

through policies, standards, and education

the produce repeatable and auditable

requirements for the protection of the

organization’s information assets

An implementation guide based upon best

practice suggestions (not a certifiable

standard)

A list of management controls an

organization shall, or is required to, address

A list of operational controls an

organization should consider when

implementing ISO 27001

Used as a means to audit and certify an

organization’s Information Security

Management System

Used as a means to mature or implement an

ISO 27001-compliant information security

program


CONTROLS CROSSWALK

ISO 27001 provides the governance umbrella under which multiple data protection regulatory compliances may be managed. Further other programs and regulatory controls cross over to a control area within ISO 27001 and documentation and practices can be made to conform to this broad spectrum.

ENTERPRISE APPLICABILITY

ISO 27001 defines a management system as organizational structure that includes policies,

planning activities, responsibilities, practices, procedures, processes, and resources. ISO

27001 further defines an ISMS as that part of the overall management system, based on a risk

approach, to establish, implement, operate, monitor, review, maintain and improve

information security. This comprehensiveness causes an ISO 27001 ISMS to potentially

interact with multiple enterprise departments and programs such as:

• Human Resources (7.0, A.7) • Suppliers / Procurement (A.15)

• Legal / Compliance (A.18) • Business Continuity (A.17)

• Audit (9.0, 10.0) • Operations (A.12)

• Facilities (A.11) • Physical Security (A.11)

ISO 27001:2013 FRAMEWORK

The ISO 27001 control clauses, control areas, control objectives and key control attributes

are summarized below.

MANDATORY CONTROLS (3.0-10.0)

The controls detailed within ISO 27001 sections 3.0 – 10.0 are required for conformance to this

standard, and are considered the “framework” or the tenets that the ISMS is built upon.

TERMS & DEFINITIONS (3.0)

Terms and definitions ensure language used in the program is standard and consistent, this

control requires a glossary of terms and definitions be created for use by the organization.


CONTEXT OF THE ORGANIZATION (4.0)

This clause addresses establishing the context of the ISMS within the enterprise or entire

organization. It calls for the identification of organizational objectives, external and internal

issues, and interested parties, both external and internal, in order to define the scope and

support of the ISMS.

LEADERSHIP (5.0)

The leadership clause places requirements on what the standard refers to as “top

management” – the person or group of people, who directs and controls the organization at

the highest level, to demonstrate leadership and commitment to the ISMS. A specific

responsibility includes establishing the Information Security Policy. Further, this clause places

the requirements for top management to assign information security responsibilities and

authority. The standard focuses on the establishment and concept of governance, the

involvement of the executive team and other top leadership, in the process and ensures

documentation of their efforts.

PLANNING (6.0)

This clause calls for reference to the organizational context and interested parties in

establishing the ISMS to determine the risk and opportunities that need to be addressed, with

the intended result to be:

• Ensure the ISMS can achieve its intended outcomes;

• Prevent or reduce undesired effects;

• Achieve continuous improvement;

• Assure that the risk management process is repeatable;

This is can be accomplished through the assessment of information security risk (risk

assessment, risk treatment plan and the Statement of Applicability (SOA – The in-scope

selection of controls from Annex A). In recent years, ISO 27001 has widened the use of risk

assessment methodologies in order to identify the risks, threats and vulnerabilities that exist

in regards to any organizations information assets. Following the risk assessment, a risk

treatment plan, which includes the assignment of risk owners and the determination of

mitigating controls, is to be carried out.


Further, through this clause, the organization is to establish information security objectives

that support the business objective of the relevant to the business areas (functions) and levels

of management of the organization.

SUPPORT (7.0)

The support clause focuses the requirement of an organization to determine and provide the

necessary resources to establish, implement, maintain and continually improve the ISMS. This

is met through establishing:

• Competence – necessary skills and knowledge to see that information security

activities and actions can in fact be implemented and acted upon

• Awareness – that policies and activities are understood, contributions to the ISMS

can occur, and the implications of nonconformance are understood

• Communication – external and internal relevant communications are understood

• Documentation – required documentation from ISO 27001 is created and present

as well as all other relevant documentation that the organization deems necessary

for the effectiveness of the ISMS

OPERATION (8.0)

Clause 8.0 aims at the organizations ability to execute the plans and processes that are

subject of the previous clauses, which include:

• Establishing the processes needed for the organization to meet its information

security requirements and implement actions needed to address the information

security risk and opportunities

• Conduct regular information security risk assessments in a repeatable manner

• Implement assign owners, and document progress of the information security

risk treatment plan

PERFORMANCE EVALUATION (9.0)

This clause focuses on how the organization is assessing the performance and effectiveness

of the ISMS by identifying how the organization will monitor, measure, analyze and evaluate

its ISMS.


Additionally, this clause identifies the need for an internal audit. The audit program needs to

be capable of determining if the ISMS conforms to the requirements of ISO 27001 and

determining if the ISMS has been implemented effectively or not, yet be separate of its

operation.

Finally, the performance evaluation of the ISMS shall include a review by executive

management at planned intervals. Executive management review includes establishing the

review process, reviewing the performance, metrics of performance and objectives of the

ISMS, generating review outputs and recording such reviews.

IMPROVEMENT REQUIREMENTS (10.0)

ISO 27001 sets the requirement that efforts shall be made to continually improve, identify

opportunities for improvement, taking preventive actions and also to take corrective actions

when nonconformities of controls occur. Organizations are to identify and perform a root

cause analysis and remediate nonconformities against the standard. The cause of

nonconformities is to be identified, corrected, and evaluated.

Finally, an organization shall work to improve and enhance the overall performance of the

ISMS. This is done through a constant understanding of the context of the organization and

the requirements of interested parties to ensure the suitability, adequacy, and effectiveness

of the ISMS.

ANNEX A CONTROLS

The controls detailed within ISO 27001 Annex. ISO 27001 requires that Annex A controls be

addressed if in alignment with the organization’s business practices. The business-friendly

stance of ISO 27001 allows for exclusion based on organizational business practices. These

controls are identified in the Statement of Applicability and are also considered mandatory

unless not in alignment with the business model. Annex A controls not implemented must

have documented justification that will need to be approved and audited against by the

certifying body.


Annex A control areas include:

• Information Security Policies (A.5) • Operations Security (A.12)

• Organization of Information Security (A.6)

• Communication Security (A.13)

• Human Resource Security (A.7) • Systems Acquisition,

Development and Maintenance (A14)

• Asset Management (A.8) • Supplier Relationships

• Access Control (A.9) • Incident Management (A.16)

• Cryptography (A.10) • Information Security Aspects

of Business Continuity Management (A.17)

• Physical and Environmental Security (A.11)

• Compliance (A.18)

HOW IS ISO 27001 IMPLEMENTED?

ISO 27001 is implemented through the creation and maintenance of an ISMS chartered with

establishing, implementing, operating, monitoring, reviewing, maintaining and improving an

organization’s information security.

THE PDCA MODEL

ISO 27001 allows for the adoption of an organization’s preferred continuous improvement

methodology. The most common methodology for implementation and continuous

improvement is the Plan, Do, Check, Act (PDCA) model. The PDCA model is common to other

management systems such as those defined within ISO 9001 (Quality) and ISO 14001

(Environment) and is also consistent with Organization for Economic Co-operation and

Development’s (OEDC) guidelines.


Plan Establish the ISMS

Do Implement and operate the ISMS

Check Monitor and review the ISMS

Act Maintain and improve the ISMS

ISMS is a strategic initiative, and this iterative level one process directly maps to the section

4.0 – 10.0 controls.

HOW IS ISO 27001 CERTIFICATE OBTAINED?

ISO/IEC does not participate in conformance audit activities. However, its standards and

guides standardize conformity of assessment worldwide through independent third-party

auditors.

Plan

Do

Check

Act


Certifies Certifies

Accredits

Audits

CERTIFICATION MODEL

The certification model starts with the national accreditation board of a respective country.

Examples are UKAS in the United Kingdom, and ANAB in the United States. These respective

national accreditation boards accredit individual registrars or registration firms as a

certification body, authorized and competent to audit against ISO 27001 requirements.

The certification body will audit an organization against ISO 27001, potentially leading to ISO

27001 Certification. Once certified, as conformant to ISO 27001, the ISMS become registered,

and under registrar/certification body governance. The validity of the certification and

registration is derived from the national accreditation board of the respective country.

CONFORMANCE MAINTENANCE

The accredited certification body that issued the original Certificate of Conformance and

maintains the registration must approve changes to the security infrastructure defined within

the Scope of Registration. Minor changes may be submitted in writing, furnishing the

evaluator with enough detail to determine impact. Major changes may require re-auditing.

Surveillance visits are performed annually, and a re-certification audit is required every three

years.

Accrediation Body

Certification Body

Certified Auditor

Certified

ISMS


PROCESS VERSUS PRODUCT

There is confusion in the industry regarding both the approach and level of effort required to

implement either an ISO 27002 based information security program or an ISO 27001 certified

operational area. Many organizations simply wish to start with a “standards based”

information security infrastructure, unable to immediately justify the extra effort required for

certification. This “standards based” infrastructure will nevertheless leave them well

positioned to proceed toward certification should a business justification emerge. Other

organizations are misled into believing that the purchase of a “product” will automatically

make them conformant.

Toolkit Approach

• Can produce a set of ISO 27001 pre-written “policies” or “direction” which

addresses risks or perceived risks in a way that may not be easily adaptable by the

organization;

• Cannot cover the ISO 27001 controls addressable by “actions” since actions are

executed uniquely in each environment;

• Cannot assign a defensible risk-based justification unless coupled with a risk

assessment process;

• May create a false sense of security for organizations believing possession of

“security policies” is all that is required for conformance; and

• Cannot speak to the management of the controls required by ISO 27001.

Process Approach

• May utilize a toolkit as a starting point of discussion but uses the risk assessment

to drive the language/actions to finalize policies;

• Considers organizational behavior to gain buy-in at all levels;

• Considers the organizations legal and regulatory environment;

• Acknowledges and works within the organizations culture and values;

• Produces risk justified security requirements, processes, roles, and activities

required to justify the selection of ISO 27001 controls; and

• Is both legally and strategically defensible.


CONCLUSION

• ISO 27002 is the implementers’ guide, suggesting what should be done based upon

internationally recognized best practice.

• An information security program oversees the organization’s information

protection initiative, and may have responsibility over multiple operational areas.

• ISO 27001 is the auditors’ guide specifying what shall be done based upon quality

management principles inherent to a management system:

• Operational areas serve as the basis of establishing the scope of an ISO 27001

certification; and

• Scope of a NIST, HIPAA or SOC2 or other information security program and an

ISO 27001 operational area do not have to be the same.

There is an ever-increasing demand for information security certification. This phenomenon

will be driven by many factors, including:

• Regulatory requirements, such as GDPR, HIPAA, GLBA and SOX which require

information security to be managed;

• Marketing incentives;

• Financial incentives, such as insurance premium reductions; and

• Corporate and legal “due diligence” concerns.

Since ISO 27001’s ISO/IEC committee has security practitioners from various types of

organizations who regularly review and update the standard, adoption of ISO 27001 helps all

types of organizations keep their program relevant to changes to the current information

security landscape. The flexibility to conform to the controls based on each organization’s

unique practices allows the adoption of this standard by all and additionally forms the basis

and building blocks for easy expansion to implementation of other regulatory controls.


FOR MORE

INFORMATION ABOUT

GREYCASTLE

SECURITY AND ITS

CAPABILITIES

www.greycastlesecurity.com

518.274.7233

[email protected]

Documents

UNDERSTANDING ISO 27001 - Ai4